Microsoft Purview Audit provides an integrated solution to help organizations effectively respond to security incidents, forensic investigations, internal investigations, and compliance obligations. As announced in the previous Microsoft blogs in July 2023 and October 2023, Microsoft Purview Audit is expanding access to wider cloud security activity logs. As part of the changes, Audit (Standard) license holders will be able to access an additional 30 audit logs that were previously generated only for Audit (Premium) license holders. Eleven new Standard logs under Stream and Viva Engage workloads became Generally Available in November 2023.
We are excited to announce that the remaining 19 new Standard logs under Exchange, Microsoft Teams, and SharePoint Online workloads are now available in Public Preview to all Worldwide and Gov cloud customers. To learn more about when these logs will become Generally Available in your tenant, please visit the Public roadmap.
Overview of New Standard Logs
19 new Standard logs are now available in Public Preview under Exchange, Microsoft Teams, and SharePoint Online workloads. The following table provides details of these logs.
Workload |
Operation |
Description |
Exchange |
send |
A message was sent, replied to or forwarded. |
mailitemsaccessed |
Messages were read or accessed in mailbox. |
|
searchqueryinitiatedexchange |
Triggered when a user searches for items in an Exchange mailbox. |
|
Teams |
meetingparticipantdetail |
Teams added information about the participants of a meeting, including the user ID of each participant, the time a participant joined the meeting, and the time a participant left the meeting. |
messagesent |
A new message was posted to a chat or channel. |
|
messageslisted |
Messages from a chat or channel were retrieved. |
|
meetingdetail |
Teams added information about a meeting, including the start time, the end time, and the URL to join the meeting. |
|
messageupdated |
A message of a chat or channel was updated. |
|
chatretrieved |
A Microsoft Teams chat was retrieved. |
|
messageread |
A message from a chat or channel was retrieved. |
|
messagehostedcontentread |
Hosted content in a message, such as an image or a code snippet, was retrieved. |
|
subscribedtomessages |
A subscription was created by a listener application to receive change notifications for messages. |
|
messagehostedcontentslisted |
All hosted content in a message, such as images or code snippets, was retrieved. |
|
chatcreated |
A Teams chat was created. |
|
chatupdated |
A Teams chat was updated. |
|
messagecreatednotification |
A change notification was sent to notify a subscribed listener application of a new message. |
|
messagedeletednotification |
A change notification was sent to notify a subscribed listener application of a deleted message. |
|
messageupdatednotification |
A change notification was sent to notify a subscribed listener application of an updated message. |
|
SharePointOnline |
searchqueryinitiatedsharepoint |
Triggered when a user searches for items in SharePoint sites of the organization. |
The following 11 new Standard Logs under Stream and Viva Engage workloads are Generally Available.
Workload |
Operation |
Description |
Stream |
streaminvokegettranscript |
A transcript was extracted from Microsoft Stream. |
streaminvokechannelview |
This event tracks when a user views a channel in Microsoft Stream. |
|
streaminvokegettexttrack |
Accessing or retrieving text tracks (such as captions or subtitles) associated with a video in Microsoft Stream. |
|
streaminvokegetvideo |
Video content was invoked on Microsoft Stream. |
|
streaminvokegroupview |
A group was viewed on Microsoft Stream. |
|
Viva Engage (Yammer) |
threadviewed |
User views a thread on Viva Engage. |
threadaccessfailure |
User failed to access a thread on Viva Engage. |
|
messageupdated |
User updates a message in Viva Engage. |
|
fileaccessfailure |
User failed to access a file in Viva Engage. |
|
messagecreation |
User creates a message in Viva Engage. |
|
groupaccessfailure |
User failed to access a group in Viva Engage. |
Premium insights available for Audit (Premium) users
Audit (Premium) license holders will continue to get longer default retention, broader access to export data, higher bandwidth API access, and logs enriched by Microsoft’s AI-powered intelligent insights. If your organization has users with an Audit (Premium) license, they will generate the following logs with additional data described in the Premium Insight column below.
Workload |
Operation |
Premium Insight |
Exchange |
mailitemsaccessed |
SensitivityLabel |
Teams |
meetingparticipantdetail |
IsJoinedFromLobby, ArtifactShared
|
messageslisted |
AppAccessContext |
|
messageupdated |
ParticipantInfo, AppAccessContext |
|
chatretrieved |
AppAccessContext |
|
messageread |
AppAccessContext |
|
messagehostedcontentread |
AppAccessContext |
|
subscribedtomessages |
AppAccessContext |
|
messagehostedcontentslisted |
AppAccessContext |
|
chatcreated |
AppAccessContext |
|
chatupdated |
AppAccessContext |
|
messagecreatednotification |
AppAccessContext |
|
messagedeletednotification |
AppAccessContext |
|
messageupdatednotification |
AppAccessContext |
Enable Exchange Mailbox Logging
The Exchange MailItemsAccessed and Send logs are enabled by default unless the mailbox’s DefaultAuditSet setting was modified. To ensure these new standard logs are generated, an admin may need to ensure the appropriate mailbox settings are enabled.
The following command can be used to check if a mailbox is currently using the default audit settings:
Get-Mailbox -Identity <MailboxIdentity>
The DefaultAuditSet property returned by the Get-Mailbox cmdlet; a mailbox using the defaults will show the following result:
DefaultAuditSet : { Owner, Admin, Delegate }
If any of those values are missing, the mailbox is not using the default audit settings.
If any changes were previously made to the default mailbox settings for a Standard user, an update must be made to enable the new standard Exchange logs for each mailbox. To ensure the new standard Exchange logs MailItemsAccessed and Send are stored, admins will either need to make sure Audit mailboxes are configured to the default settings or add the new standard logs to each mailbox. The following changes can be made in Exchange Online PowerShell.
Option 1: Reset each mailbox to the default settings
Any previous customizations, like auditing of MailboxLogin, will be reset once the mailbox is using the default settings. The following command will re-enable the default audit settings for the mailbox:
Set-Mailbox -Identity <MailboxIdentity> -DefaultAuditSet Admin,Delegate,Owner
Option 2: Add the new standard logs to each mailbox
If you would prefer to keep the customizations for each mailbox, the following Set-Mailbox command will add the new standard logs to each mailbox. This command will add (only) the new Standard logs for each mailbox, retaining any existing customization, but any future changes to the defaults will need to be added at that point:
Set-Mailbox -Identity <MailboxIdentity> -AuditOwner @{add="MailItemsAccessed","Send" } -AuditAdmin @{add="MailItemsAccessed","Send"} -AuditDelegate @{add="MailItemsAccessed"}
Enable Mailboxes for all Standard Users
Every standard user mailbox should have AuditEnabled set to true to ensure all audit records are uploaded to Purview Audit. This step is not necessary for any users with an Audit Premium license assigned. Please note that this Set-Mailbox command must be run for every Standard license user regardless of its current value to correctly enable their mailbox to upload the new standard logs to Purview Audit.
The following command will set AuditEnabled to true.
Set-Mailbox -Identity <MailboxIdentity> -AuditEnabled $true
More information regarding the setup instructions for these commands and information regarding permissions can be found here. Detailed information regarding activating these new logs for Audit Standard users will be added in a future update to the Microsoft Purview Audit public documentation.
We are pleased to share today’s cloud logging update as a continuation of the thoughtful conversations we’ve had with our security experts, customers, and influential authorities like CISA. Please visit the Public roadmap to get the latest information on updates coming to Microsoft Purview Audit.